Securing DNS clients

Securing DNS clients

The following DNS client considerations have security implications for DNS clients in a DNS infrastructure:

Whenever possible, specify static IP addresses for the preferred and alternate DNS servers used by a DNS client. If a DNS client is configured to obtain its DNS server addresses automatically, it will obtain them from a DHCP server. While this method of obtaining DNS server addresses is secure, it is only as secure as the DHCP server. By configuring DNS clients with static IP addresses for the preferred and alternate DNS servers, you eliminate one possible avenue of attack.

Control which DNS clients have access to the DNS server. If a DNS server is configured to listen only on specific IP addresses, then only DNS clients configured to use these IP addresses as preferred and alternate DNS servers will contact the DNS server.